Certificates in JDBC client connection into a DB2 server
In my experience, from mostly windows, a CA issued certificate usually has 3 elements – leaf, intermediate, and root. (I know, there is also a private key element)
I am currently dealing with a Linux JDBC client connection into mainframe ZOS DB2 port using AT-TLS (CDC) and the thing I am having difficulty confirming is which of the 3 elements of the certificate needs to be in the JDBC client trust store.
AI is as always confidently saying: that the mainframe only presents the leaf, and therefore the trust store on the client side needs to contain the intermediate and root certificate.
This is important when we later need to renew the certificate, because that means, that if the intermediate and root certificate doesn’t change, the client trust store, doesn’t need to be updated, and the server can freely switch to the new certificate.
But I cannot find confirmation, that this is how it is supposed to be done; can anyone help me find a source?
More details: IBM CDC replication engine uses source and target concepts where there are plenty of descriptions of certificate requirements, however this isn’t about encryption between IBM CDC source and target agents, it is about source agent connection to the source database, which in this case is a ZOS DB2 database.